Firewall being bypassed (Captcha, JS Challenge, Block)

Hi all,

I’m not sure if anyone experience this but for couple of days our website is under very heavy DDoS Layer 7 attacks.
It’s not uncommon we have got used to it and we were able to protect our website with help of CloudFlare protection and with few Firewall rule setup we are all set.

But this time last 24 hours it was a ■■■■ for us unfortunately, even though we have put firewall rules in place to captcha all countries except our own market country we were able to observe somehow million of requests going beyond CloudFlare and reaching to our server with thousand of IPs from countries that has catpcha challenge active.

This was not the first time we have observed this and we thought taking into consideration the technology expansion we blocked all countries except our marketing country, guess what? Attacker was able to bypass that too…

I would like to mention that our server is not accessible other than CloudFlare IPs therefore there is not even a way to receive such attacks directly to our server IP so that’s not the problem.

I just want to understand how they are able to bypass CloudFlare protection, if anyone else has experience this and if CloudFlare is taking actions mitigating this type of bypassing from their technology?

Example screenshot of the heavy DDoS:

Thanks

1 Like

Attaching again as firewall rules count was not visible :slight_smile:

I have tested with all rules OFF and only the following rule being active:

P.S: I have removed the actual domain name put a generic one. Even with this rule our domain was getting hit by any country possible in world :slight_smile:

:wave: @DoubleA,

Layer 7 attacks can be difficult to protect against, captchas are good, but not completely impossible to bypass with sophisticated enough tooling. There are additional layers of protection you might consider such as:

  • Outright blocks of countries/ASNs globally or for particular portions of the website.
  • Bot Fight mode
  • Bot Management
  • User agent blocking
  • Rate Limiting
  • Increased caching (cache everything or custom cache keys) for resources which aren’t dynamic.
  • IP reputation blocks

– OG

Hey Oliver,

Thank you for your reply and suggestions, I have tried all of the options including blocking ALL countries not just Captcha.

What I have tried until now:

  • JS Challenge
  • Captcha
  • Bot Fight Mode
  • User Agent Blocking (only few as most of the Layer 7 attacks comes from latest browser User agent and it’s random, acting like real user)
  • Rate Limiting - Didn’t help much as they are bypassing this too!
  • Increased Caching - We have cached as much as possible but as it’ a community platform (XenForo) hard to cache everything.
  • IP reputation blocks
  • Blocking all countries except our own market
  • Blocking all countries + Captcha our own market (there is not much difference as attacks origin are outside of our market).
  • Blocking IPs manually from Tools section of Firewall
  • Last thing we managed to do is manually ban IPs from LiteSpeed Web Server.

:wave: @DoubleA,

If a blocked country gets through then either a. you haven’t really prevented access to your origin server from non-Cloudflare IP addresses or b. you should look to make sure your origin is only accepting for it’s hostname and look at authenticated origin pulls.

– OG

CloudFlare’s JS Challenge is easily bypass by various scrapers and are abused for Layer 7 attacks. The captcha challenge should be sufficient enough to block most of the traffic since it is far harder to bypass. Try forcing a captcha challenge on all traffic for a couple of hours, while white listing any API or other services you run that require a visit to your website.

Under the firewall rules, it should show the captcha solve percentage. If the percentage is high, then your next option is to enable global rate limiting. The rate limiting CloudFlare offers is per IP and not all of the IPs. Try only allowing 1000 connections to your site, and push the other requests to a queue or a waiting page (One that will attempt to redirect after a couple seconds).

Caching plays a big role in stopping the DDoS attacks, blocking IPs won’t help because the attacker is most likely using proxies. Gather a collection of the ASNs from the attack and figure out which are from cloud hosting (Digital Ocean, Online SAS, Choopa, OVH, etc) and force a captcha challenge on the ASNs.

Also, for the firewall rule you tested

Instead, try just the country field (Country does not equal Turkey).

Hey smalldoink,

We have tried that too and still bypassing it. There is no challenge captcha solve percentage it’s like they are bypassing entirely the system :slight_smile:

Anyway for now we have moved to a different proxy provider (similar to CloudFlare) and the attacks are being filtered automatically and we’re good for now.

Thank you everyone for your replies. I hope that the issue with bypassing will be solved in the near future.

This topic was automatically closed after 30 days. New replies are no longer allowed.